8

All the FAQs, documents and statements published by AWS aside, did any Level 1 merchant actually achieve PCI compliance on AWS yet? We're evaluating moving some of our services to EC2/VPC, but our auditor is saying that AWS hadn't been cooperative when their other clients were trying to achieve compliance and had to go to Rackspace instead. The issues they ran into were,

  • AWS isn't providing itemized list of controls assessed in AWS' own PCI audit, making it impossible for auditor to mark which items are covered off by AWS and which are the responsibility of the client
  • AWS isn't clarifying how the hypervisor was assessed and which tests were performed to ensure tenant isolation

Update: This question was originally asked on StackExchange, but was voted down as not appropriate for that site https://stackoverflow.com/questions/6851259/has-anyone-achieved-level-1-pci-compliance-on-aws

Community
  • 1
Boris Slobodin
  • 181
  • 1

1 Answers1

4

I'd suggest not trying to solve AWS's problem yourself.

Ask your auditor if he will accept a SAS 70 Type 2 audit report of AWS regarding PCI compliance: this means that an external auditor audits AWS for PCI security concerning AWS clients and issues a report. Your auditor then basically rubberstamps it. If the auditor isn't willing to accept this report, ask his management why he isn't and whether they abide by AICPA rules (see Gotchas below though).

If AWS is not willing to undergo such a standard audit process, they basically undermine their entire market position regarding PCI Compliance=>credit card processing, so I can't imagine they wouldn't cooperate. See e.g. one of the big five... eeh four accountant firms providing SAS70 audits and Wikipedia on SAS70

Gotchas: SAS 70 type 2 does not specify what exactly to audit, so you have to make sure your auditor agrees with the scope of the audit in advance: the 2 issues the auditor has being a case in point. Note: SAS 70 type 2 is a US auditing standard that has been around for a while, there might be updated versions/standards for this. If you're in another country, there might be other requirements, but SAS 70 type 2 is very widely used internationally.

However, it might be that your auditor actually has a SAS 70 type 2 report on AWS and thinks the scope is not extensive enough, or the audit was badly done, or the resulting findings/conclusion was negative.

reiniero
  • 374
  • 1
  • 7
  • 1
    The auditor had clearly stated that in order for them to even proceed with an audit of our AWS-based infrastructure they need to see an itemized list of controls assessed by the QSA for the PCI audit and SAS 70 type 2 wouldn't be applicable in this case. I am of the same opinion as yourself, in that Amazon clearly tries to position itself as a PCI-friendly provider, yet from the auditor's standpoint, they had not cooperated with the QSA trying to get the information from them in the past, which is quite puzzling to me to say the least. I'm hoping that someone succeeded, hence this question. – Boris Slobodin Jul 28 '11 at 12:51
  • Ok, clear enough. Still strange that AWS wouldn't cooperate if the request is valid/plausible, and that SAS70 wouldn't apply, but I'm not a PCI expert... Hope somebody chimes in who achieved compliance, as you asked. – reiniero Jul 31 '11 at 12:56